vpnMentor Researchers discover vulnerability in BHIMApp

The research team at vpnMentor, the world’s largest VPN review website offering a research lab that helps the online community defend itself against cyber threats and educates organizations on protecting their users’ data, today announced the discovery of a massive data leak by the popular BHIM mobile payment app, affecting millions of users across India.

The BHIM (Bharat Interface for Money) mobile payment app was launched in 2016 by the National Payments Corporation of India (NPCI). By 2020, the NPCI recorded over 136 million downloads of the BHIM App. Led by Noam Rotem and Ran Locar, vpnMentor’s research team discovered a massive amount of incredibly sensitive financial data connected to the BHIM mobile payment app was exposed to the public.

The website was being used in a campaign to sign large numbers of users and business merchants to the app from communities across India. According to vpMentor, some related data from this campaign was being stored on a misconfigured Amazon Web Services S3 bucket and was publicly accessible.

The scale of the exposed data is extraordinary, affecting millions of people all over India and exposing them to potentially devastating fraud, theft, and attack from hackers and cybercriminals.

The full report, detailing data leak details and samples of images leaked online has been published on vpnMentor’s site at https://www.vpnmentor.com/blog/report-csc-bhim-leak/